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' We review the current status of the an direct encryption protocol. 

r~| ■ After describing an, we summarize the main security claims made on 

it. We then describe recent attacks developed against it in the litera- 
■£3 | ture, and suggest security enhancements and future research directions 

■ based on our results. 

3 ' 

1 Introduction 

X 

This article summarizes a poster presentation at QCMC 2006 on the security 
of the arj protocol. The arj protocol [H El El HI [5] was developed as an effi- 
cient (the '77' in arj) quantum encryption protocol using coherent states ('at'). 
Its objective being direct data encryption, it is inappropriate to compare it 
with quantum cryptographic protocols for key generation, such as BB84, 
continuous-variable QKD, and entanglement-based QKD protocols. First of 
all, at?7 uses a pre-shared secret key (typically a few thousand bits long) that 
is not assumed in key generation protocols (except for a short authentication 
key). Secondly, the criterion of success of an encryption protocol is not so 
stringent as in a key generation protocol, where one ideally desires to distill 
bits that are nearly random to Eve. For the first reason given above, it is 
also inappropriate to compare arj to a composite protocol in which , e.g., 
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BB84 is used to generate nearly random keys which are subsequently used 
for data encryption through, e.g., one-time pad. On the other hand, from a 
cryptographic standpoint, one can make a fair comparison between at] and 
a standard classical encryption protocol like one-time pad or AES since the 
cryptographic objective is the same in both cases. Unfortunately, to our 
knowledge, there is no universally agreed upon security criterion for stan- 
dard encryption which can be calculated for any meaningful standard cipher 
(excluding one-time pad). Thus, security claims are usually made given cer- 
tain unproved assumptions and in some cases these assumptions have only 
sociological support. Given this situation, we will take care to state all the 
assumptions made for our claims in the rest of this article. 

2 The arj cryptosystem 

We now describe the steps of operation of an arj cryptosystem as depicted 
in Fig. 1: 

(1) Alice and Bob share a secret key K. 

(2) Using a key expansion function ENC(-), e.g., a linear feedback shift 
register or AES in stream cipher mode, the seed key K is expanded into a 
running key sequence that is chopped into n blocks: K^ n = ENC (K) = 
(K u ..., K mn ). Here, m = log 2 (M), so that Z, t = (K^_ 1)m+1 , K im ) 
can take M values. The constitute the keystream. 

(3) For each bit of the plaintext sequence X n = (Xi, . . . ,X n ), Alice 
transmits the coherent state 

mX l ,Z l )) = \ae w ^). (1) 

Here, a G R and 6>(X;, Z t ) takes values in the set {0, vr/M, . . . , (2M - 
l)n/M}. The function 9 taking the data bit and keystream symbol 
to the actual angle on the coherent state circle is called the mapper. 
In this article, we assume that 8(Xi,Zi) = [Zi/M + (JQ © Pol(Zi))]TT. 
Pol(Zi) = or 1 according to whether Z^ is even or odd. Thus can be 
thought of as choosing a 'basis' with the states representing bits and 1 
as its end points. 
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(4) In order to decrypt, Bob runs an identical ENC function on his copy of 
the seed key. For each i, knowing Z^ he makes a quantum measurement 
to discriminate the two states \ip(0,Zi)) and \ip(l,Zi)) and recover the 
input bit. 
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Figure 1: Left - Overall schematic of the ar] encryption system. Right - 
Depiction of two of M bases with interleaved logical bit mappings. 



3 Security Claims 

We list in this section our theoretical claims regarding arj, leaving a discussion 
of some attacks on it to the next section. 

1. Random Cipher Character: First, we claim [21 IH E] that the funda- 
mental performance of arj is equivalent to that of a corresponding clas- 
sical random cipher when Eve makes individual identical heterodyne 
or phase measurements on each optical qumode. A random cipher dif- 
fers from a non-random one in associating more than one ciphertext 
to every plaintext-key pair. For known-plaintext attack on the key, 
we have defined in [3] a parameter T that is a measure of the number 
of running keys that can be associated to a given plaintext-ciphertext 
symbol pair, which we expect to be, at least qualitatively, relevant to 
security. Under heterodyne attack, we estimate T ~ M/(irVS) for 
signal energy S. This number works out to around 3 for the typical 
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parameters M ~ 2000, S ~ 40000 used in [3]. Further details on the 
above, including why random ciphers are theoretically interesting from 
a security standpoint, can be found in [3]. 

2. Assisted Brute-Force Search Complexity: One may easily see that a 
heterodyne measurement by Eve on each qumode % gives her partial 
information on the keystream symbol Z^ especially the most significant 
bits of Zi for the mapping scheme of the previous section. In our so- 
called 'wedge approximation' [3], she may thus tabulate the possible 
keystream sequences given her measurement for each i. We define in 
[3J an assisted brute-force search attack on the key to be an attack where 
Eve exhaustively checks (using any algorithm) for a seed key that is 
compatible with one of the keystream combinations. The factor by 
which her complexity increases we call the assisted brute-force search 
complexity. For example, when the ENC box is an LFSR, we show that 
it equals C = r^l/ lo ^ M . 

3. Ciphertext-Only Attack Security with DSR: In [B], we detail a technique 
called Deliberate Signal Randomization (DSR) involving a randomiza- 
tion of the state in Eq. (1) by Alice before transmission with the pur- 
pose of rendering the seed key inaccessible to Eve in a ciphertext-only 
attack, i.e., an attack where each data bit is independently completely 
random. We show therein that DSR may be done in principle, namely 
in the limit S, M — > oo, M/\fS = irT, at the same time preserving 
the T that Eve sees for mode-by-mode measurements and increasing 
Bob's decoding error probability using the same decoding apparatus 
by an arbitrarily small amount. This result demonstrates that at] can 
in principle approach similar security under ciphertext-only attacks as 
that obtained from standard stream ciphers [5j, even if joint quantum 
attacks are made. 

4 Recent Attacks on ar] 

In this section, we comment on some recent attacks on at] made by the 
Donnet group in [7] and by ourselves. Earlier attacks by Lo and Ko and by 
the Nishioka group have been addressed by us in detail in the papers [5] and 
[3] respectively. 
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4.1 Correlation Attacks 



Donnet et al describe in [7] an attack based on the viewpoint that the seed 
key is presented to Eve making heterodyne measurements in a coded, i.e., 
redundant, form with noise on top. For the LFSR linear decoding; 

algorithm may thus be employed to retrieve the seed key from observations. 
While the efficacy of such an attack for \K\ = 32 has been demonstrated, 
we have commented in [6] that the linear decoding approach is exponentially 
complex with respect to the key size and the number of LFSR taps, both of 
which can be increased to make such attacks impossibly complex. We also 
mentioned some security measures that break the linear code structure and 
render linear decoding algorithms ineffective. We also showed how arj with 
an ENC using a parallel configuration of AES boxes can be used to provide 
more security than a single AES box. 

4.2 Joint Attack on arj: Preliminary Results 

All the preceding results, except the one on DSR, are concerned with attacks 
where Eve makes identical mode-by-mode quantum measurements. Although 
impractical at present, her most general attack is a joint measurement of the 
entire qumode sequence. For the case of known-plaintext attack on the key, 
with the conservative assumption that Eve is given a full copy of the trans- 
mitted quantum state, the relevant quantity is her average error probability 
P e of discriminating the \K\ states given by products of states of the form of 
Eq. (1) for a given plaintext sequence x. In [8], we developed a new general 
technique of upper-bounding P e . Applying it to arj with LFSR as the ENC 
box, and for the parameters mentioned above and \K\ = 4000 bits, we find 
that Eve's error probability becomes completely negligible for data length 
n in the range of 10-100 Mbits. Since this is based on an upper bound, 
the system could in fact be insecure for smaller n. This result is not too 
surprising, as non-random 'nondegenerate' ciphers are also broken at their 
nondegeneracy distance [31 [5], which is believed to be quite small. 

5 Conclusion 

The insecurity of the bare arj under joint attack implies that the random ci- 
pher character of arj is not sufficient to provide a significant level of information- 
theoretic security. However, the system would still have great practical value 
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if it possessed a high, e.g., exponential level of complexity-based security. 
Thus, it seems that the study of complexity-based security of random ci- 
phers, and of quantitative security measures in general, is important. 
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